Mobility brings new ways to tackle IT security threats

Enterprise mobility has brought major changes to the way IT approaches security, especially when it comes to controlling network access.

Keeping enemy attackers from storming the gates of the corporate IT castle used to be pretty simple. But mobility changed all that.

With the great power of mobile comes the great responsibility of mobile security, and IT can't rely on old tactics to keep sensitive information out of the wrong hands. The biggest change is in how workers access corporate data. Years ago, business users did all their work on a company-issued desktop hooked into a corporate network. The typical approach to security was to build a castle wall to keep the data inside, said Matt Kosht, an IT director at a utility company in Alaska.

"Most corporations bought all their own equipment, and they weren't having people come in and out," Kosht said. "If [users] were inside your network, you were pretty confident it was safe."

Today, IT has to contend with users accessing corporate data on smartphones, tablets and wearables from a variety of locations. The reliability and security of outside networks present their own data security challenges. Building a wall isn't enough anymore. Nor is it feasible in many cases. Users can easily find ways to get around IT and use unsanctioned personal devices, apps and networks to get their work done.

"Security is broken," said Ajay Arora, CEO of Vera, a startup that offers file-level security. "The perimeter-based approach is not sufficient."

Mobile security requires an approach that protects apps themselves, secures data wherever it resides and better monitors access to sensitive information. The switch to a more mobile world now informs how organizations implement security overall. IT departments should not treat the two differently, said Craig Mathias, founder of the Farpoint Group, a wireless technology advisory firm in Ashland, Mass.

"All the principles need to be the same anywhere you can get connectivity," Mathias said.

A new approach to mobile security

Shortly after the introduction of Apple's iPhone in 2007, tools arrived to help organizations prevent corporate data leakage. Mobile device management (MDM) was the rage at first, but that only goes so far, said Alisdair Faulkner, chief products officer with ThreatMetrix, a user authentication software provider in San Jose, Calif.

"You can't forever be chasing and patching every single device," Faulkner said. "You can't forever hope to roll out an MDM solution that's going to fully satisfy all your use cases."

You have to design systems around the fact that people are going to breach them.
Matt KoshtIT director at a utility company

Mobile application management (MAM) and mobile content management (MCM) are two newer approaches that allow workers the freedom to use the tools they want while keeping corporate data within IT's grasp. For example, a sandboxed email app is specifically designed to keep data within that specific app and other authorized apps. If a device is lost, MAM allows IT to wipe only the sandboxed email app and its data.

The unique nature of mobile operating systems themselves has also provided new security opportunities. For example, mobile devices have managed to avoid many of the antivirus concerns that threaten Windows PCs, thanks to more closed operating systems such as Apple iOS, said Chris Hazelton, research director for enterprise mobility at 451 Research. OS vendors can still do more to help, including allowing IT to turn off specific app permissions and ensuring third-party apps can't collect employee data, he said.

"A developer can sell and monetize your information if they can track your location," he added.

ID, please

Identity access management (IAM) is one security technology that's become even more important in the mobile era. With IAM, IT can set application permissions for users, capture and record user behavior and more easily authorize and audit apps. Without strong IAM in place, IT could miss abnormal behavior, like an employee based in one location logging on from a different location—a potential sign of a breach.

"If I can assume your identity, or assume your device profile and look like your device, then I can get access to the corporate crown jewels," Faulkner said.

In the desktop era, an employee typically used just one device to do work and didn't take it out of the office. IAM is more difficult nowadays in part because of barriers put up by mobile OS vendors, Hazelton said. For example, iOS devices are designed as consumer products, and Apple discourages any kind of management agent running on the device from disrupting user experience, he said.

Not location, location, location

Mobility changed the paradigm that where a user accesses information is the most important aspect of enterprise security. New IT security threats have affected all of modern enterprise security.

"It's not about keeping bad people out of your device," Kosht said. "It's about keeping bad people out of your data. You have to design systems around the fact that people are going to breach them."

The ubiquity of mobile devices, cellular networks and Wi-Fi hotspots means there are more chances than ever for sensitive data to find itself in the wrong place at the wrong time. And the rise of high-speed Internet access gives attackers more bandwidth over which to steal reams of data. Organizations must change to deal with these new IT security threats.

"Mobile has brought a Cambrian explosion, in both the level of commerce that it enables and the degree of sophistication of cyber-attacks," Faulkner said.

Join the conversation

1 comment

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.